Managing Network Security

Integrity First - Usually

Copyright(c), 1997, Fred Cohen

Series Introduction

Over the last several years, computing has changed to an almost purely
networked environment, but the technical aspects of information protection
have not kept up. As a result, the success of information security programs
have increasingly become a function of our ability to make prudent management
decisions about organizational activities. Managing Network Security
takes a management view of protection and seeks to reconcile the need for
security with the limitations of technology.

Integrity First

Two weeks ago, I was at a conference with some highly distinguished authors,
highly placed government officials, and other pundits who were trying to
get a handle on how national infrastructure policy should be altered in
response to the ongoing changes in information technology. After a day of
relatively charged exchanges, one of the speakers went through a short talk
about how the distribution of computer systems was leading to a new paradigm
and how security would be effected. During the talk, he cited example after
example of how secrets could be and had been leaked, how the new paradigm
demanded the widespread use of cryptography to protect privacy, and how
distribution of control over information technology would lead to improved
privacy. By the time he got to the end, I could hardly hold my tongue. Several
other people had questions before me, and as the number of questioners was
approaching zero, the moderator identified that the last question had now
been asked. That broke it. I interrupted the flow and expressed my opinions
rather concisely.

Three things bothered me about this pundit's presentation. One had to
do with the concept that we should distribute responsibility over protection
without distributing the knowledge required to make sensible decisions (a
topic to be covered in a future article). Another had to do with some assertions
about history that were not supported by reality. The third, and the one
that riled me most was the implied assertion that security means secrecy.

I have been to a lot of talks on information protection, and one of my
pet peeves is people who use the term security but talk only about
secrecy. For more than ten years, I have been talking about integrity
issues, writing about the lack of adequate integrity protection, and working
to improve integrity in information systems. At first, I thought it was
just a lack of understanding, and later, I thought it was due to the media
concentrating on privacy issues. But today, I believe that anyone who thinks
that information security is primarily about privacy probably just doesn't
know very much about information security. After all, with widespread computer
viruses, Internet-based denial of service attacks, and attacks on the DOJ
and CIA Web sites so prominently displayed in the media, everyone knows
that privacy wasn't the issue here. Right?

The day before I was at this conference, I was at a different meeting
consisting of people with substantial background in information protection.
Most people there had discussed issues related to integrity and availability,
and there was relatively less discussion of secrecy. One of the less informed
among the attendees, having heard integrity listed before availability and
privacy one too many times, decided to ask why it was that people were talking
integrity, availability, privacy instead of giving privacy a more prominent
place. The answer I gave was in the form of a question similar to this one:

Suppose you are flying a plane in the clouds over mountainous territory
and using the Global Positioning System (GPS) to determine how high you
are and which direction you are going. Which would be worse?

Believing you were at 40,000 feet flying north when you were in fact
at 3,000 feet flying south-west.

The first option is what can happen when you lose GPS integrity. The
second option is what can happen when you lose GPS availability. The third
option is what happens when you lose GPS secrecy.

Maybe that example was too easy. Let's try another one. Suppose you are
in the banking business. Which would be worse?

The balances of all your accounts become random numbers and you cannot
correct them or find the proper balances.

The balances of all your accounts are unavailable for a month.

The balances of all your accounts are published on the Internet.

In this case, the first two are approximately the same - except that
you may find out about the loss of availability a lot sooner than the loss
of integrity. In either case, you may be out of business. The third example,
while pretty bad, is still not as bad as the other ones.

Here's one to put to a friend in the military. Which would be worse?

The enemy can forge electronic communications.

The enemy can cut off all electronic communications.

The enemy can listen in on all electronic communications.

It's a more interesting question in this case, but I think you will find
that most military people will tell you that the loss of integrity is far
worse than the loss of availability or secrecy. Without integrity, we can
be ordered to kill our own troops. Without secrecy, the enemy will know
our plans. Without availability, we have to alter our fighting style.

I'll use one more example. Suppose you are using your home computer to
compute your taxes. Which would be worse?

You compute the wrong tax results, misreport your income and deductions,
and pay half as much as as you are supposed to.

Your computer doesn't work and you have to do your taxes by hand.

You computer is connected to the Internet and it emails your correct
tax return to a mailing list.

The loss of integrity may result in a lengthy and expensive audit, will
probably result in a substantial fine, and could even get you put in jail
in some places. The loss of availability will make doing your taxes harder.
The loss of privacy could create a lot of interpersonal problems with co-workers
(if they got copies) and could cause you substantial embarrassment.

Usually

Now that you know why I place the emphasis on integrity, I have to hedge.
There are certainly examples where integrity is not as vital as secrecy.
The problem is finding them.

In most cases, integrity is more important then secrecy because integrity
is required in order for information to be used meaningfully and beneficially
while secrecy is required only because the content may cause harm if revealed.
In order for secrecy to take precedence we must have a case where it is
less important to be able to use the information meaningfully than it is
to have it revealed.

As privacy advocates rightly point out, personal information should be
kept private. For example, if a personal e-mail message is leaked it might
be embarrassing or even harmful to the individuals involved, while a corruption
in or failure to deliver the same piece of email would probably have little
if any effect. Even a very specific corruption such as a forged personal
email message would not probably be very damaging since the parties would
likely straighten it out over time.

It would seem that the conditions for privacy taking precedence are cases
where the information is not used - in which case there is no real reason
to keep it in a computer. For example, if the names of AIDS patients were
kept in a computer used for statistical analysis of ways AIDS were spread,
but their names were never used for any of the statistics; (1) the revelation
of the names could be harmful to the individuals involved, and (2) there
would be no good reason for their names to be kept in this computer. In
fact, keeping the names in this computer would be both wasteful and unnecessarily
risky. I might even be tempted to call it neglegent if the names were leaked
out.

Summary

In truth, it's not easy to come up with many meaningful examples where
keeping information secret is more important than keeping it accurate or
available. Most of the examples involve an unimportant corruption of a small
portion of what is leaked. That's because leaking completely inaccurate
information does not usually cause harm.

On the other hand, it's almost always easy to come up with examples where
corruption or denial of service cause great harm.

Many privacy advocates will disagree with me on this one, and I encourage
you to seek out their views, but temper their views - and the stories you
read in the media - with this view.

About The Author

Fred Cohen is a Senior Member of Technical Staff at Sandia National Laboratories
and a Senior Partner of Fred Cohen and Associates in Livermore California,
an executive consulting and education group specializing information protection.
He can be reached by sending email to fred at all.net.